> "How are people supposed to know that they need to go and find a separate security tutorial (and not a W3Schools one, they don't have one)?"

Whenever they realize they don't understand something. This could happen by reflecting on the material or after making a mistake.

> "Following that tutorial introduces massive security holes into a site."

I've touched on this on other parts of this page.

> Whenever they realize they don't understand something.

Which is quite likely to be when their customers' data gets leaked or altered. That's a really bad time to discover a hole in your understanding.

> "Which is quite likely to be when their customers' data..."

Who would hire someone who only has W3Schools knowledge? Are we really worried about them?

> Who would hire someone who only has W3Schools knowledge?

And this pretty much negates your whole argument. If you ever plan on getting hired or being taken seriously enough to get clients, this isn't the resource. How pissed would you be to find out at an interview or after a breach that the site you used to learn all this stuff was the laughing stock of developers?

How would a non-technical person hiring a freelance web developer to do their site know that developer learned everything from W3Schools and is going to leave gaping security holes?

If people, beginners or not, come to w3schools and take it as the bible then they are in the wrong field and need to quit NOW.

I'd say it was fairly obvious that this is a bare bones basics site (I used it, albeit about 10 years ago) that needs to lead on to something else...

But granted they should may be put in a "next steps" type section of things people should read in to further.